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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings of claims in the application: 



Listing of Claims: 

1 1-27. (Canceled) 

1 28. (Currently amended): The method of claim[[27]]_30, further comprising 

2 the step of: 

3 providing ingress filtering at said logical ports. 

1 29. (Currently amended): The method of claim[[27]]_30, wherein said 

2 security association contains at least two keys, one key for encryption and another key for 

3 computing an authentication code, wherein said security association is associated with a VLAN, 

4 wherein said authentication code is used to limit traffic at a -one of said logical ports to members 

5 of an entire VLAN, wherein encryption is used to keep traffic private except to members, 

6 wherein only stations having said security association belong to said VLAN, and wherein all 

7 stations having said security association belong to the same broadcast domain. 

1 30. (Currently amended): The method of claim[[28]]J31, wherein a physical 

2 pert said access point may serve more than one VLAN by having multiple logical ports 

3 associated with it. 

1 31. (Currently amended): The method of claim 27, furth e r comprising the 

2 s t e ps of: In a system for segregating traffic amongst a plurality of stations that are associated 

3 with an access point, a method for joining a personal virtual local area network (VLAN) served 

4 by said access point, comprising steps of: 

5 providing a control channel for authentication of a requester by a creator of said 

6 personal VLAN; 

7 using said control channel to relay authentication protocol messages between said 

8 creator and said requester; 
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9 if said creator can authenticate said requester, then said creator sharing a security 

10 association it holds with said requester; 

11 using said security association shared among members of said personal VLAN to 

12 identify frames originating from said members, wherein: 

13 if a received frame carries a null virtual LAN ID (VID) or is untagged, 

14 then using its source MAC address to determine a preliminary VLAN classification of said 

15 received frame a logical port ; and 

16 if said frame carries a VID, then using said VID as said preliminary 

1 7 VLAN classification instead; 

1 8 using said preliminary VLAN classification to index into a table of 

1 9 security associations giving an authentication code key; 

20 said received frame carrying an authentication code computed over a 

2 1 frame payload thereof using a message digest algorithm agreed upon by both said personal 

22 VLAN bridge creator and said requester at authentication time and having been recorded in said 

23 table of security associations; 

24 said - a receiver of said received frame personal VLAN bridge re-computing 

25 said-an authentication code, using said authentication cod e as an authentication code key, over 

26 said payload of said received frame; 

27 comparing said re-computed authentication code with said received 

28 authentication code; 

29 wherein if said re-computed authentication code and said received 

30 authentication code match, then said preliminary VLAN classification becomes a final VLAN 

31 classification; 

32 using said final VLAN classification as a value of a VLAN classification 

33 parameter of any corresponding data request primitives; 

34 decrypting said frame using said security association; and 

35 submitting said decrypted frame to a forwarding and learning process; 

36 otherwise, discarding said frame. 
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32-37. (Canceled) 
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1 38. (New): A method for segregating traffic among a plurality of end stations 

2 associated with a network access point comprising: 

3 an end station from among said plurality of end stations performing an initial 

4 authentication operation; 

5 receiving a frame at said end station; 

6 if said frame carries a null virtual LAN ID (VID) or is untagged, then using its 

7 source MAC address to determine a preliminary VLAN classification of said frame; 

8 if said frame carries a VID, then using said VID as said preliminary VLAN 

9 classification instead; 

10 using said preliminary classification to index into a table of security associations 

1 1 giving a cryptographic authentication code key; 

1 2 said received frame including a cryptographic authentication code computed over 

13 a frame payload thereof using a cryptographic message digest algorithm that is determined at a 

1 4 time during said initial authentication operation, said cryptographic message digest being 

1 5 recorded in said table of security associations; 

16 said end station re-computing said cryptographic authentication code, using said 

17 cryptographic authentication code key, over said payload of said received frame; 

1 8 comparing said re-computed cryptographic authentication code with said received 

19 cryptographic authentication code; 

20 wherein if said re-computed cryptographic authentication code and said received 

2 1 cryptographic authentication code match, then: 

22 using said preliminary VLAN classification as a value of a VLAN 

23 classification parameter of any corresponding data request primitives; 

24 decrypting said received frame using said table of security associations, 

25 and 

26 submitting said decrypted frame to a forwarding and learning process; 

27 wherein if said re-computed cryptographic authentication code and said received 

28 cryptographic authentication code do not match, then discarding said received frame. 
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1 39. (New): The method of claim 38 wherein said authentication code is a 

2 cryptographic authentication code which uniquely identifies a VLAN to which traffic belongs. 

1 .40. (New): The method of claim 38 wherein said authentication code key is 

2 generated during said initial authentication. 

1 41 . (New): The method of claim 38 wherein said initial authentication 

2 operation is performed between said end station and said access point. 

1 42. (New): The method of claim 41 wherein said cryptographic digest method 

2 algorithm is agreed upon by both said access point and said end station. 
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